Hello friends, I need to clear a doubt with you.
I have the meerkat running here and I do some local tests to see if it activates any alerts and is activating.
It has been running for about a week and has just picked up two ZMAP scanner alerts. I would like to know how I can see if the rules are all active, or how many are active, to see if everything is all right or if there are only a few that are active.
Hi,
There are a couple of ways that you can view information about the rules that Suricata has loaded
- Suricata displays rule related values when it (a) starts and (b) after a reloading rules.
- Use the
suricatasc
command
Example output for (1)
14/10/2020 -- 07:39:13 - <Info> - 1 rule files processed. 19188 rules successfully loaded, 0 rules failed
14/10/2020 -- 07:39:13 - <Info> - Threshold config parsed: 0 rule(s) found
14/10/2020 -- 07:39:14 - <Info> - 19191 signatures processed. 1094 are IP-only rules, 3860 are inspecting packet payload, 14180 inspect application layer, 0 are decoder event only
Example for (2)
# suricatasc -c ruleset-stats /usr/local/var/run/suricata/suricata-command.socket
{"message": [{"id": 0, "rules_loaded": 19188, "rules_failed": 0}], "return": "OK"}
I used the command suricatasc and he showed me a list of commands to use, I used the command ruleset-stats and he showed me this:
Success:
[
{
“id”: 0,
“rules_failed”: 0,
“rules_loaded”: 23130
}
]
Is it correct then?
Hi @Douglas_Ribeiro!
This seems alright if you want to see the rule stats. Here, you see the number of rules loaded and failed with the Suricata engine. If you want to check active rules, suricata-update would be able to give you the best results.
If you run suricata-update, you’ll see a line like
14/10/2020 -- 19:49:09 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 28335; enabled: 21311; added: 172; removed 3; modified: 7114
Active rules: 21311 in the file /var/lib/suricata/rules/suricata.rules
.
(Added, removed etc are because it is the rule manager and keeps on updating the rules as per flowbit dependencies and/or changes from the rule source)
This also gives you the file name where your rules are stored, so you can check that file out for all the rules. (The ones starting with #
are disabled, rest are enabled)
We are working on generating a report of any changes made to the rules so its easy to check if something was changed among the existing rules: https://github.com/OISF/suricata-update/pull/246